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Air  Force  Web  Site  Administration,  Policies,  and  Practices 


Executive  Summary 


Introduction.  This  report  is  one  in  a  series  that  address  Internet  access,  practices,  and 
policies.  Subsequent  reports  will  cover  Web  site  administration  within  the  Army  and 
DoD.  The  Naval  Audit  Service  plans  to  issue  a  separate  report  based  on  the  audit  of 
Web  site  administration  within  the  Navy  and  the  Marine  Corps. 

This  report  evaluates  Internet  access,  practices,  and  policies  for  Air  Force  Web  site 
administration.  In  April  2001,  the  Air  Force  issued  “Transmission  of  Information  Via 
the  Internet,”  Air  Force  Instruction  33-129.  Air  Force  Instruction  33-129  defines  the 
roles  and  responsibilities  of  personnel  establishing,  revising,  and  operating  an  Internet 
Web  site.  It  prohibits  the  display  of  classified  and  sensitive  information  on  publicly 
accessible  Air  Force  Web  sites,  and  it  requires  annual  reviews  to  ensure  compliance  to 
Air  Force  and  DoD  policy.  Air  Force  Instruction  33-129  also  requires  major  Air  Force 
commands  and  wing  level  commanders  to  register  their  Web  sites  with  Air  Force  Link 
that  serves  as  a  registration  database  for  data  into  the  Government  Information  Locator 
Service.  The  Government  Information  Locator  Service  helps  citizens  identify,  locate, 
and  retrieve  information  about  their  government. 

Objectives.  Our  objective  was  to  evaluate  Air  Force  policies  and  practices  for  Web 
site  administration  and  oversight.  Specifically,  we  reviewed  how  the  Air  Force  hosts 
official  Web  sites  and  how  it  registers  and  monitors  Web  sites  for  compliance  with 
policy  and  safeguards  sensitive  information.  We  also  evaluated  the  management  control 
program  as  it  related  to  the  overall  objective. 

Results.  The  Air  Force  had  not  developed  adequate  plans  to  annually  review  its  Web 
sites.  In  addition,  the  listing  of  Air  Force  publicly  accessible  Web  sites  recorded  in  Air 
Force  Link  did  not  match  the  data  reported  in  Government  Information  Locator 
Service.  As  a  result,  the  Air  Force  had  140  publicly  accessible  Web  sites  that  included 
potentially  inappropriate  information.  Further,  the  process  for  the  removal  of  sensitive 
information  was  not  reliable.  In  positive  actions,  the  Air  Force  developed  a  new 
training  program  for  personnel  working  on  Web  sites,  and  oversight  of  Air  Force  Web 
sites  has  improved  with  the  establishment  of  the  Air  Force  Web  Risk  Assessment  Cell. 
See  Appendix  A  for  details  on  the  management  control  program  concerning  the 
performance  of  annual  reviews  and  the  establishment  of  a  followup  system  to  ensure  all 
issues  relating  to  the  posting  of  inappropriate  data  on  Web  sites  are  resolved.  For 
details  of  the  audit  results,  see  the  Finding  section  of  the  report. 

Summary  of  Recommendations.  We  recommend  that  the  Director,  Office  of  Public 
Affairs,  Department  of  the  Air  Force,  establish  a  process  to  conduct  annual  multi¬ 
disciplinary  reviews  of  Web  sites,  report  results  of  the  reviews  to  the  Chief  Information 
Officer,  Department  of  the  Air  Force,  and  establish  a  followup  system  to  ensure 


corrective  actions  are  implemented  when  inappropriate  postings  are  identified.  We  also 
recommend  that  the  Chief  Information  Officer,  Department  of  the  Air  Force  revise 
Air  Force  Instruction  33-129,  “Transmission  of  Information  via  the  Internet”,  April  4, 
2001,  to  require  annual  reviews  that  verify  and  match  data  in  the  Air  Force  Link  with 
data  contained  in  the  Government  Information  Locator  Service. 

Management  Comments.  The  Chief  Information  Officer,  Department  of  the  Air 
Force,  who  responded  for  the  Air  Force,  concurred  with  the  recommendations. 
Specifically,  the  Office  of  Public  Affairs,  Department  of  the  Air  Force,  is  establishing  a 
process  to  ensure  information  is  screened  prior  to  posting.  Web  masters  will  review 
Web  sites  for  unauthorized  information,  and  the  Office  of  Public  Affairs,  Department 
of  the  Air  Force,  will  accomplish  annual  and  spot  reviews  to  verify  compliance  with 
policy  and  assure  content  accuracy.  The  Air  Force  intends  to  develop  and  implement 
the  review  process  within  6  months.  The  Chief  Information  Officer  of  the  Air  Force 
also  stated  that  the  Deputy  Chief  of  Staff,  Communications  and  Information  had  already 
begun  the  process  of  issuing  a  revised  Air  Force  Instruction  33-129,  “Transmission  of 
Information  Via  the  Internet,”  April  4,  2001.  In  addition,  the  Chief  Information 
Officer,  Department  of  the  Air  Force  will  ensure  that  Air  Force  Link  and  Government 
Information  Locator  Service  data  are  consistent  and  that  public  Web  sites  do  not 
disclose  inappropriate  data. 
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Background 


DoD  Web  Page  Policy.  The  “DoD  Web  Site  Administration  Policy  and 
Procedures,”  (the  Policy)  implemented  December  7,  1998,  and  updated 
April  26,  2001,  describes  procedures  for  establishing,  operating,  and 
maintaining  DoD  unclassified  Web  sites.  The  Policy  requires  heads  of  DoD 
Components  to  establish  a  process  to  identify  appropriate  information  for 
posting  to  Web  sites.  The  Policy  ensures  that  all  information  placed  on  publicly 
accessible  Web  sites  is  reviewed  for  security  levels  of  sensitivity  and  other 
concerns  before  the  information  is  released. 

In  addition,  the  Policy  requires  Components  to  establish  procedures  for 
management  oversight  and  a  regular  functional  review  of  Web  sites,  and  to 
provide  necessary  resources  to  support  Web  site  operations  including  funding, 
staffing,  and  training.  It  also  requires  an  annual  security  assessment  of  Web 
sites.  Moreover,  Components  must  register  each  publicly  accessible  Web  site 
with  the  Government  Information  Locator  Service  (GILS).  GILS  helps  citizens 
identify,  locate,  and  retrieve  information  about  their  government.  GILS  resides 
on  Defense  Link,  which  is  the  official  Web  site  for  DoD  and  the  starting  point 
for  finding  military  information  online  about  defense  policy,  organizations, 
functions,  and  operations. 

The  Policy  defines  a  DoD  Web  site  as  a  collection  of  information  organized  into 
a  number  of  Web  documents  related  to  a  common  subject  or  set  of  subjects 
including  a  Home  Page  and  links  to  subordinate  information  that  is  included  on 
a  Web  page.  A  Home  Page  is  the  index  or  introductory  document  for  a  Web 
site.  A  Web  site  is  developed  and  maintained  with  command  sponsorship, 
approval,  and  editorial  supervision  over  content. 

DoD  Oversight  of  Web  Content.  On  February  25,  1999,  the  Secretary  of 
Defense  approved  the  Joint  Web  Risk  Assessment  Cell  (JWRAC)  plan  to  use 
Reserve  assets  to  conduct  ongoing  security  and  threat  assessments  of 
Components  Web  sites.  The  JWRAC  is  responsible  for  analyzing  data  on  DoD 
Web  sites  for  information  that  poses  potential  or  real  threats  to  ongoing 
operations  and  DoD  personnel.  Inappropriate  data  include  data  labeled  “For 
Official  Use  Only,”  “sensitive,”  classified,  and  other  information  at  one  or 
more  sites  that  combined,  would  be  sensitive  or  classified,  and  should  not  be 
released  to  the  general  public. 

Air  Force  Policy  on  Web  Sites.  Air  Force  Instruction  33-129,  “  Transmission 
of  Information  via  the  Internet,”  dated  April  4,  2001, 1  defines  the  roles  and 
responsibilities  of  personnel  using  and  maintaining  the  Internet.  It  assigns  the 
development  of  policy  to  the  Air  Force  Director  of  Communication  and 
Information  who  is  the  Deputy  Chief  Information  Officer  for  the  Air  Force.  It 
prohibits  the  display  of  offensive  and  obscene  material,  and  prohibits  links  to 
offensive  or  unrelated  commercial  sites  at  Air  Force  Web  sites.  It  also  requires 


1  Air  Force  Instruction  33-129  was  originally  issued  on  August  1,  1999. 
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Air  Force  officials  to  develop  procedures  for  establishing  and  maintaining  a 
public  Web  site  and  to  conduct  multi-disciplinary  annual  reviews  of  Web  sites. 
The  multi-disciplinary  annual  reviews  include  representatives  from 
communications  and  information,  public  affairs,  legal,  contracting  and 
operations,  and  other  necessary  disciplines  to  review  questions  concerning  the 
sensitivity  of  information  on  public  Web  sites. 

Air  Force  Instruction  35-101,  “Public  Affairs  Policies  and  Procedures,”  dated 
December  1,  1999,  defines  prohibited  information  such  as  links  to  offensive  or 
unrelated  commercial  material,  disclosure  of  sensitive  movements  of  military 
assets  and  personnel,  locations  of  units  and  installations,  personal  information 
protected  under  the  Privacy  Act,  copyright  information,  trademarks  and  logos, 
and  classified  information.  Air  Force  Instruction  35-101  requires  that  the  Office 
of  Public  Affairs  serve  as  the  point  of  contact  to  conduct  the  multi-disciplinary 
periodic  reviews;  determine  the  appropriateness  of  content,  design,  and 
operations  of  an  Air  Force  Web  site;  and  provide  direction  for  registering  public 
Web  sites  with  GILS. 

Air  Force  Instruction  35-101  further  requires  major  Air  Force  commands  and 
wing  level  commanders  to  register  their  Web  sites  with  Air  Force  Link,  that  the 
Office  of  Public  Affairs  maintains.  The  Link  serves  as  a  registration  database 
for  information  recorded  in  GILS.  Registration  requires  that  officials  record 
information  such  as  Web  site  title,  internet  address,  major  Air  Force  command, 
base  location,  point  of  contact,  and  other  pertinent  Web  site  information. 

Objectives 


Our  objective  was  to  evaluate  Air  Force  policies  and  practices  for  Web  site 
administration  and  oversight.  Specifically,  we  reviewed  how  the  Air  Force 
hosts  official  Web  sites,  and  how  it  registers  and  monitors  Web  sites  for 
compliance  with  policy  and  safeguards  sensitive  information.  We  also  evaluated 
the  management  control  program  as  it  relates  to  the  overall  objective.  See 
Appendix  A  for  a  discussion  of  the  audit  scope  and  methodology,  the 
management  control  program,  and  prior  audit  coverage. 
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Air  Force  Internet  Access,  Practices, 
and  Policies 

The  Air  Force  had  not  developed  adequate  plans  to  annually  review  its 
Web  sites.  This  occurred  because  the  Director,  Office  of  Public  Affairs, 
Department  of  the  Air  Force,  did  not  monitor  the  conduct  of  required 
annual  reviews  and  it  did  not  follow-up  and  resolve  findings  identified 
during  the  annual  reviews  in  a  timely  manner.  In  addition,  the  listing  of 
Air  Force  publicly  accessible  Web  sites  recorded  in  Air  Force  Link  did 
not  match  the  data  reported  in  GILS.  Officials  stated  that  this  occurred 
because  Air  Force  Link  was  damaged  when  GILS  was  upgraded, 
resulting  in  a  failure  to  maintain  matching  databases.  As  a  result,  the 
Air  Force  had  140  publicly  accessible  Web  sites  that  included  potentially 
inappropriate  information.  Further,  the  process  for  the  removal  of 
sensitive  information  was  not  reliable.  In  positive  actions,  the  Air  Force 
developed  a  new  training  program  for  personnel  working  on  Web  sites, 
and  oversight  of  Air  Force  Web  sites  has  improved  with  the 
establishment  of  the  Air  Force  Web  Risk  Assessment  Cell. 

Information  on  Air  Force  Public  Web  Sites 


In  June  2001 ,  the  Office  of  the  Deputy  Assistant  Secretary  of  Defense 
(Intelligence)  identified  140  Air  Force  Web  sites  that  were  publicly  accessible 
and  contained  information  that  was  identified  with  warnings  such  as 
“Destruction  Notice,”  “For  Official  Use  Only,”  “Distribution  Authorized,” 
“Distribution  Limited,”  “Pre-decisional,”  and  “Secret.”  All  the  warnings 
restrict  the  audience  and  are  not  for  general  public  consumption. 

During  June  2001,  the  Deputy  Assistant  Secretary  of  Defense  (Intelligence) 
submitted  information  on  those  140  sites  and  related  information  to  JWRAC  for 
analysis.  If  the  sites  are  analyzed,  the  results  of  the  JWRAC  analysis  will  help 
the  Air  Force  identify  information  that  should  not  be  included  on  Web  sites 
accessible  by  the  general  public. 

Annual  Reviews  of  Air  Force  Web  Sites 


Of  the  three  major  Air  Force  commands  and  wing  level  commanders  visited, 
two  major  commands  and  one  wing  level  commander  did  not  conduct  annual 
reviews  since  2000.  Also,  the  Director,  Office  of  Public  Affairs,  Department  of 
the  Air  Force,  neither  ensured  the  completion  of  the  annual  reviews  nor 
resolved  issues  identified  during  the  reviews. 

Air  Force  Special  Operations  Command.  Personnel  at  the  Air  Force 
Special  Operations  Command  conducted  one  multi-disciplinary  review  in  the 
summer  of  2000.  Air  Force  officials  did  not  prepare  a  written  report  on  the 
review  results  but  would  alert  page  maintainers  if  inappropriate  information  was 
posted  on  their  Web  sites.  Also,  Air  Force  officials  did  not  conduct  later 
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reviews  because  they  were  awaiting  a  revised  command  instruction  that 
provided  guidance  on  conducting  the  annual  assessments.  On  August  3,  2001, 
Air  Force  officials  agreed  to  conduct  the  annual  multi-disciplinary  review  as 
required  by  Air  Force  Special  Operations  Command  Instruction  33-303, 
“Communications  and  Information,”  November  1,  1999. 

Air  Mobility  Command.  Officials  from  the  Air  Mobility  Command 
conducted  a  multi-disciplinary  review  in  early  1999,  and  sent  the  results  to 
Headquarters  U.S.  Air  Force,  Communication  and  Information.  The  results  of 
the  review  indicated  that  sensitive  information  did  not  appear  on  publicly 
accessible  Web  sites.  Since  1999,  officials  have  not  conducted  further  reviews. 
However  the  command  office  of  public  affairs  reviewed  all  changes  to  the 
command  Web  sites.  The  officials  stated  that  the  risk  of  improper  data  located 
at  the  Web  site  was  reduced. 

375th  Airlift  Wing.  The  375th  Airlift  Wing  conducted  a  multi¬ 
disciplinary  review  in  1999,  and  reported  the  results  to  the  Vice  Commander, 
Air  Mobility  Command.  The  results  of  the  review  indicated  that  sensitive 
information  did  not  appear  on  publicly  accessible  Web  sites.  However,  the 
375th  Airlift  Wing  had  not  performed  a  review  subsequent  to  1999  because 
officials  stated  that  they  were  not  tasked  to  conduct  the  review. 

Air  Force  Public  Affairs.  Officials  from  the  Office  of  Public  Affairs, 
Department  of  the  Air  Force,  and  the  Headquarters  U.S.  Air  Force, 
Communication  and  Information  required  the  annual  multi-disciplinary  reviews 
in  March  2001,  with  completion  by  April  2001.  However,  they  did  not 
followup  with  major  command  and  air  wing  level  commanders  who  did  not 
respond  by  the  due  date.  This  occurred  because  of  personnel  changes  and  the 
followup  duties  remained  unassigned.  In  addition,  the  Office  of  Public  Affairs, 
Department  of  the  Air  Force,  did  not  follow  up  and  resolve  findings  identified 
during  the  annual  reviews  in  a  timely  manner.  During  the  audit,  Air  Force 
officials  from  the  Office  of  Public  Affairs,  Department  of  the  Air  Force,  agreed 
that  a  process  to  ensure  that  major  Air  Force  commands  and  wing  level 
commanders  conduct  annual  reviews  and  establish  a  followup  system  to  resolve 
issues  identified  during  the  annual  reviews  was  needed. 

The  annual  multi-disciplinary  reviews  are  a  necessary  part  of  Web  site 
administration.  The  reviews  help  ensure  that  only  information  germane  to  the 
general  public  is  posted  for  review  and  public  dissemination.  Although  Air 
Force  Instruction  33-129  requires  an  annual  review,  and  the  Office  of  Public 
Affairs,  Department  of  the  Air  Force,  and  the  Headquarters  U.S.  Air  Force, 
Communication  and  Information  Office  jointly  tasked  the  effort  in  March  2001, 
a  process  is  needed  to  ensure  that  all  annual  reviews  are  conducted,  results  are 
reported  to  the  Chief  Information  Officer  of  the  Air  Force,  and  a  followup 
system  is  in  place  to  ensure  corrective  actions  are  implemented  when 
inappropriate  postings  are  identified. 
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Web  Site  Registration  in  Air  Force  Link  and  Government 
Information  Locator  Service 


Listings  of  Air  Force  Web  sites  accessible  to  the  general  public  as  shown  in  Air 
Force  Link  are  different  from  those  registered  in  GILS.  As  of  August  22,  2001, 
there  were  607  registered  Air  Force  Web  sites  listed  on  Air  Force  Link.  There 
were  421  Air  Force  listings  in  GILS.  Only  170  were  listed  at  both  sites  with  the 
remainder  listed  either  only  in  GILS  (251)  or  with  Air  Force  Link  (437).  Air 
Force  officials  from  the  Office  of  Public  Affairs,  Department  of  the  Air  Force, 
stated  that  Air  Force  Link  was  damaged  when  GILS  was  updated,  resulting  in  a 
failure  to  keep  the  two  databases  identical.  In  addition,  officials  stated  that  they 
revised  the  registration  process  since  May  2001  so  that  the  registration 
information  directs  registrants  to  the  GILS  Web  site.  However,  they  stated  that 
they  did  not  have  the  resources  to  compare  the  lists  of  publicly  accessible  Air 
Force  Web  sites  recorded  in  the  Air  Force  Link  to  those  reported  in  GILS. 

Although  registration  is  a  requirement  for  Air  Force  Link  and  GILS,  there  is  no 
requirement  to  ensure  that  both  listings  are  identical  and  current.  As  part  of  the 
multi-disciplinary  annual  review,  major  commands  and  wing  level  commanders 
should  ensure  that  the  information  in  both  listings  are  current,  identical,  and 
discrepancies  reported  and  corrected.  Oversight  and  identical  registration  will 
ensure  that  Air  Force  officials  have  a  listing  of  all  publicly  accessible  Web  sites 
so  that  when  policy  changes  occur,  it  can  be  disseminated  to  Web  officials; 
when  training  requirements  are  established,  training  can  be  planned  and  taken; 
and  when  performing  annual  reviews,  all  publicly  accessible  sites  can  be 
analyzed.  Air  Force  Instruction  33-129  must  be  revised  because  it  only  requires 
the  annual  review  to  analyze  the  Web  sites  and  pages  rather  than  the  validity, 
currency,  and  consistency  of  information  included  in  Air  Force  Link  and  GILS. 

Training  of  Web  Personnel 


The  Air  Force  Communications  Agency  is  developing  a  computer  based  training 
course  for  Web  masters  and  other  Web  administration  personnel  such  as  page 
maintainers.  A  Web  master  is  a  system  administrator  for  a  Web  server,  which 
hosts  the  Home  Page.  The  Web  master  is  responsible  for  operations  of  the 
server,  security,  maintenance,  registration  with  Air  Force  Link,  and  posting  of 
appropriate  information  on  a  Web  site.  A  page  maintainer  assists  the  Web 
master  implementing  access  and  security  controls  over  the  Web  site,  and  also 
develops  and  maintains  subordinate  pages,  reviews,  and  documents;  obtains 
release  approval  on  material;  validates  links  to  ensure  proper  access  and  control; 
and  ensures  outdated  data  is  removed  from  a  Web  site.  The  course  includes  a 
4-hour  session  with  a  1-hour  review  followed  by  questions  that  must  be 
answered  with  a  70  percent  correct  score  for  successful  completion  of  the 
course.  Instruction  topics  include  Web  administration,  roles  of  personnel,  the 
Web  server,  system  security,  Web  site  establishment,  page  design,  and  the 
collection  of  information. 
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The  training  will  enable  participants  to  perform  essential  Internet  administration 
tasks  and  manage  the  enterprise  in  a  secure  manner.  Air  Force  officials  indicate 
that  the  course  will  be  a  mandatory  requirement  for  current  Web  masters  and 
other  Web  personnel.  In  addition,  newly  designated  personnel  must  take  the 
course  before  they  are  assigned  Web  administration  duties.  Air  Force  officials 
also  plan  to  include  the  course  as  a  requirement  for  other  network  professionals. 

The  course  development  is  a  positive  initiative  and  will  ensure  that  individuals, 
who  are  assigned  the  responsibility  for  Web  site  administration,  will  receive 
training  on  policy  and  practice. 

Air  Force  Web  Risk  Assessment  Cell  Established 


In  August  2000,  the  Air  Force  established  an  Air  Force  Web  Risk  Assessment 
Cell  that  is  responsible  for  vulnerability  analyses  and  threat  assessments  of  the 
content  of  Air  Force  Web  sites.  The  cell  analyzes  content  and  data  on  Air 
Force  Web  sites.  It  also  reviews  cross  sectional  Web  information,  trend 
analysis,  and  data  aggregation  where  unclassified  information  from  multiple 
Web  sites  could  be  combined  to  create  sensitive  or  classified  information  that 
could  pose  a  threat  to  ongoing  operations  or  personnel.  Also,  it  reviews  Air 
Force  Web  sites  for  compliance  with  Air  Force  instructions,  ensures  recognition 
and  reporting  of  vulnerabilities  at  one  or  multiple  Web  sites,  and  notifies 
officials  of  the  results.  The  cell  reports  routine  observations  on  a  scheduled 
basis  to  the  commanders  of  major  commands,  direct  reporting  units  and  field 
operating  agencies,  and  reports  critical  observations  immediately  to  respective 
Air  Force  officials. 

The  cell  has  only  issued  one  report  dated  April  2,  2001 .  The  report  was 
addressed  to  Headquarters  U.S.  Air  Force,  Communications  and  Information, 
and  identified  six  Air  Force  sites  with  “For  Official  Use  Only”  information, 
sensitive  information,  and  access  issues.  The  report  stated  that  officials  were  in 
the  process  of  defining  the  report  format  and  frequency.  When  the  report  was 
issued  in  April  2001,  four  of  the  six  identified  issues  were  closed  and  Air  Force 
officials  were  addressing  the  other  two.  Air  Force  officials  informed  us  that 
they  subsequently  defined  the  resources  needed  to  perform  the  review,  including 
funding  and  training  requirements  for  involved  personnel,  and  the  process  for 
reporting  and  following  up  results.  The  cell  began  further  assessments  in 
September  2001. 

The  establishment  of  the  Air  Force  Web  Risk  Assessment  Cell  will  complement 
the  Joint  Web  Risk  Assessment  Cell.  It  will  provide  the  Air  Force  an 
assessment  of  the  content  of  its  Web  sites  and  will  help  to  deter  Web  site 
misuse. 
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Summary 

GILS  was  established  to  help  citizens  identify,  locate,  and  retrieve  information 
about  their  government.  Web  sites  must  be  informative  and  contain  only 
information  appropriate  for  posting.  To  achieve  this,  managers  who  are 
responsible  for  Web  administration  including  posting  information  on  Web  sites, 
must  be  aware  of  the  policy  and  process  for  establishing  and  revising  Web  sites 
as  well  as  appropriate  Web  page  content.  Training  in  Web  site  administration  is 
a  first  step  to  safeguarding  sensitive  information  along  with  the  establishment  of 
an  oversight  Web  risk  assessment  cell.  In  addition,  performing  annual  multi¬ 
disciplinary  reviews  is  imperative.  Further,  a  listing  of  Web  masters  and  Web 
sites  that  are  consistently  reported  in  DoD  and  Air  Force  databases  will  help 
facilitate  the  distribution  of  new  policy,  assist  in  the  oversight  of  known  public 
Web  sites,  and  ensure  training  of  appropriate  officials.  All  of  those  steps  will 
help  prevent  the  disclosure  of  sensitive  movements  of  military  assets  or 
personnel;  locations  of  units,  installations,  or  personnel;  personal  information 
protected  under  the  Privacy  Act;  copyright  information;  trademarks  and  logos; 
and  classified  information  at  Air  Force  publicly  accessible  Web  sites. 

Recommendations  and  Management  Comments 


1.  We  recommend  that  the  Director,  Office  of  Public  Affairs,  Department 
of  the  Air  Force: 

a.  Establish  a  process  for  conducting  annual  multi-disciplinary 
reviews  of  Web  sites  and  for  reporting  the  review  results  to  the  Chief 
Information  Officer,  Department  of  the  Air  Force. 

b.  Establish  a  followup  system  to  ensure  corrective  actions  are 
implemented  when  inappropriate  postings  to  Air  Force  Web  sites  are 
identified. 

2.  We  recommend  that  the  Chief  Information  Officer,  Department  of  the 
Air  Force  revise  Air  Force  Instruction  33-129,  “Transmission  of 
Information  via  the  Internet”,  April  4,  2001,  to  require  annual  reviews 
that  verify  and  match  data  contained  in  Air  Force  Link  with  data 
contained  in  Government  Information  Locator  Service. 

Management  Comments.  The  Chief  Information  Officer,  Department  of  the 
Air  Force,  who  responded  to  our  memorandum  to  the  Assistant  Secretary  of  the 
Air  Force  (Financial  Management  and  Comptroller),  concurred.  Specifically, 
the  Office  of  Public  Affairs,  Department  of  the  Air  Force,  is  establishing  a 
process  to  ensure  information  is  screened  prior  to  posting.  Web  masters  will 
review  Web  sites  for  unauthorized  information  and  Public  Affairs  will 
accomplish  annual  and  spot  reviews  to  verify  compliance  with  policy  and  assure 
content  accuracy.  The  Air  Force  intends  to  develop  and  implement  the  review 
process  within  6  months.  The  Chief  Information  Officer  also  stated  that  the 
Deputy  Chief  of  Staff,  Communications  and  Information,  Department  of  the  Air 
Force,  had  already  begun  the  process  of  issuing  a  revised  Air  Force  Instruction 
33-129,  “Transmission  of  Information  Via  the  Internet.”  In  addition,  the  Chief 
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Information  Officer,  Department  of  the  Air  Force  will  ensure  that  Air  Force 
Link  and  Government  Information  Locator  Service  data  are  consistent  and  that 
public  Web  sites  do  not  disclose  inappropriate  data. 
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Appendix  A.  Audit  Process 

Scope  and  Methodology 


We  visited  three  major  Air  Force  commands  including  the  Air  Force  Special 
Operations  Command,  the  Air  Mobility  Command,  and  the  Air  Education  and 
Training  Command.  We  selected  the  Air  Force  Special  Operations  Command 
because  it  supports  a  unified  DoD  command.  We  selected  the  Air  Mobility 
Command  because  it  was  located  at  the  site  of  the  Air  Force  Communications 
Agency  where  Web  training  is  being  developed,  and  we  selected  the  Air 
Education  and  Training  Command  because  it  was  located  near  the  Air  Force 
Joint  Web  Risk  Assessment  Cell.  The  Air  Wings  visited  include  the  375th 
Airlift  Wing,  the  16th  Special  Operations  Wing,  and  the  12th  Flying  Training 
Wing  that  were  located  at  the  major  commands  visited.  Although  we  reviewed 
three  Air  Force  major  commands  and  three  Air  Force  air  wing  commanders, 
our  results  do  not  reflect  a  projection  of  all  Air  Force  major  commands  and  air 
wing  commanders.  We  reviewed  and  evaluated  Web  site  policies  of  the  Air 
Force  for  Web  site  locations  available  to  the  public.  We  conducted  discussions 
with  Air  Force  officials  to  evaluate  whether  policies  and  practices  were 
adequate,  and  we  reviewed  records  and  documents  from  December  1998  until 
August  2001. 

Audit  Type,  Dates  and  Standards.  We  performed  this  program  results  audit 
from  May  2001  through  September  2001  in  accordance  with  generally  accepted 
government  auditing  standards. 

Use  of  Computer-Processed  Data.  We  relied  on  computer-processed  data 
without  performing  tests  of  system  general  and  application  controls  to  confirm 
the  reliability  of  the  database.  However,  not  establishing  the  reliability  of  the 
database  will  not  affect  the  results  of  our  audit.  We  relied  on  judgmental 
sampling  procedures  to  develop  conclusions  on  this  audit. 

Use  of  Technical  Assistance.  A  computer  specialist  from  the  Information 
Systems  Directorate,  Office  of  the  Assistant  Inspector  General  for  Auditing, 
DoD,  assisted  the  auditors  in  reviewing  the  registration  of  Web  sites  in  the  Air 
Force  Fink  and  GIFS  databases.  The  computer  specialist  performed  a 
comparison  of  the  databases  to  determine  the  Web  sites  that  were  contained  in 
both  databases. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  DoD.  Further  details  are  available  on  request. 

General  Accounting  Office  High-Risk  Area.  The  General  Accounting  Office 
has  identified  several  high-risk  areas  in  the  DoD.  This  report  provides  coverage 
of  the  Information  Security  high-risk  area. 
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Management  Control  Program  Review 


DoD  Directive  5010.38,  “  Management  Control  (MC)  Program,”  August  26, 
1996,  and  DoD  Instruction  5010.40,  “Management  Controls  (MC)  Program 
Procedures,”  August  28,  1996,  require  DoD  managers  to  implement  a 
comprehensive  system  of  management  controls  that  provide  reasonable 
assurance  that  programs  are  operating  as  intended  and  to  evaluate  the  adequacy 
of  the  controls. 

Scope  of  Review  of  the  Management  Control  Program.  We  reviewed  the 
adequacy  of  Air  Force  management  controls  over  DoD  and  Air  Force  policies 
and  practices  for  Web  site  administration  and  oversight.  In  assessing  those 
controls,  we  evaluated  policies  and  practices  on  how  Government  or  other 
servers  host  official  Air  Force  Web  sites,  and  how  the  Air  Force  registers  and 
monitors  Web  sites  for  compliance  with  policy  and  safeguards  sensitive 
information.  We  reviewed  management’s  self-evaluation  applicable  to  those 
controls. 

Adequacy  of  Management  Controls.  We  identified  material  management 
control  weaknesses  for  the  Air  Force  as  defined  by  DoD  Instruction  5010.40. 
Air  Force  management  controls  for  oversight  of  Air  Force  Web  sites  were  not 
adequate  to  identify  a  complete  listing  of  Web  sites,  conduct  annual  multi¬ 
disciplinary  reviews,  and  establish  a  followup  system  to  track  inappropriate 
information  posted.  The  recommendations,  if  implemented,  will  improve  the 
oversight  and  Web  site  administration  process.  A  copy  of  the  report  will  be 
provided  to  the  senior  officials  responsible  for  management  controls  in  the 
Office  of  the  Assistant  Secretary  of  Defense  (Command,  Control, 
Communications,  and  Intelligence). 

Adequacy  of  Management’s  Self-Evaluation.  The  Director,  Office  of  Public 
Affairs,  Department  of  the  Air  Force,  did  not  identify  oversight  of  Air  Force 
Web  sites  as  an  assessable  unit  and,  therefore,  did  not  identify  or  report  the 
material  management  control  weakness  identified  by  the  audit. 

Prior  Coverage 


General  Accounting  Office 

During  the  last  five  years,  GAO  has  issued  two  reports  on  the  issue  of  Internet 
privacy. 

GAO  Report  No.  GAO-01-147R  “Internet  Privacy:  Federal  Agency  Use  of 
Cookies,”  October  20,  2000 

GAO  Report  No.  GAO/AIMD-00-296R  (OSD  Case  No.  2074)  “Internet 
Privacy:  Comparison  of  Federal  Agency  Practices  With  FTC'  Fair  Information 
Principles,”  September  11,  2000 
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Inspector  General,  DoD 


Inspector  General,  DoD,  Report  No.  D2001-130,  “DoD  Internet  Practices  and 
Policies,”  May  31,  2001 

Air  Force  Audit  Agency 

Air  Force  Audit  Report  No.  99066038,  “Web  Page  Management,” 

November  8,  2000 
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Appendix  B.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Acquisition) 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 

Auditor  General,  Department  of  the  Air  Force 

Director,  Secretary  of  the  Air  Force,  Office  of  Public  Affairs 


Other  Defense  Organization 

Director,  Defense  Information  Systems  Agency 


Non-Defense  Federal  Organization 

Office  of  Management  and  Budget 


Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Armed  Services 
House  Committee  on  Government  Reform 

House  Subcommittee  on  Government  Efficiency,  Financial  Management,  and 
Intergovernmental  Relations,  Committee  on  Government  Reform 
House  Subcommittee  on  National  Security,  Veterans  Affairs,  and  International 
Relations,  Committee  on  Government  Reform 
House  Subcommittee  on  Technology  and  Procurement  Policy,  Committee  on 
Government  Reform 
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Department  of  the  Air  Force 
Comments 


DEPARTMENT  OF  THE  AIR  FORCE 

WASHINGTON  DC 


ChM  Information  Officer  1  February  2002 


MEMORANDUM  FOR  ASSISTANT  INSPECTOR  GENERAL  FOR  AUDITING 
OFFICE  OF  THE  INSPECTOR  GENERAL 
DEPARTMENT  OF  DEFENSE 

FROM:  AF-CIO 

SUBJECT:  DoD  IG  Draft  Report,  Air  Force  Web  Sile  Administration,  Policies  and  Practices,  30 
Nov  01,  (Project  Code  D2001AB-G116) 


This  is  in  reply  to  your  memorandum  requesting  the  Assistant  Secretary  of  the  Air  Force 
(Financial  Management  and  Comptroller)  to  provide  Ar  Force  comments  on  subject  report. 

The  Ar  Force  concurs  with  the  recommendation  to  esublish/rehne  a  process  to 
conduct  annual  multi-disciplinary  reviews  of  Web  sites  and  report  the  findings  to  the  AF-CIO. 
The  Air  Force  Office  of  Public  Affairs  (SAF/PA)  is  establishing  this  process  to  ensure 
information  is  screened  prior  to  being  posted.  Web  masters  will  review  their  web  sites  for 
unauthorized  information  and  SAF/PA  will  accomplish  annual  and  spot  reviews  to  verify 
compliance  and  asaure  content  accuracy.  We  intend  to  develop  and  implement  this  review 
process  within  6  months  (ECD:  1  Aug  2002). 

-  We  also  concur  with  the  need  to  revise  AF-33-129,  'Transmission  of 
Information  Via  the  Internet”,  The  Deputy  Chief  of  Staff,  Communications  and  Information 
(AF/SC)  has  alresdy  revised  AFI 33-129  and  will  soon  begin  forotal  HQ  staff  coordination.  We 
will  ensure  the  Air  Force  Link  and  the  Government  Information  Locator  Service  data  are 
consistent,  AFI  33-129  also  addresses  the  quarantining  and  removal  of  sensitive  information. 
AF/SC  and  SAF/P A  will  work  together  to  ensure  public  Air  Force  web  sites  do  not  divulge 
inappropriate  data. 

Thank  you  for  the  opportunity  to  comment  on  this  report  My  POC  is  Mi  Ron 
Richardson,  703-601-3555. 


JCpN  M.  GILLIGAN 
Chief  Information  Officer 


Audit  Team  Members 

The  Acquisition  Management  Directorate,  Office  of  the  Assistant  Inspector  General  for 
Auditing,  DoD,  prepared  this  report.  Personnel  of  the  Office  of  the  Inspector  General, 
DoD,  who  contributed  to  the  report  are  listed  below. 

Mary  Ugone 
Thomas  S.  Bartoszek 
Thomas  J.  Hilliard 
Lisa  E.  Novis 
Thelma  E.  Jackson 
Carrie  Gravely 
Mandi  Markwart 
Patrice  Cousins 
Constance  Halahan 
Ann  Ferrante 
Jenshel  D.  Marshall 


